π‘οΈ AWS Inspector ECR Scanning is not enabledπ’
- Contextual name: π‘οΈ Inspector ECR Scanning is not enabledπ’
- ID:
/ce/ca/aws/inspector/ecr-scanning - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
- π AWS Account
- π AWS Account - object.extracts.yaml
- π§ͺ test-data.json
Similar Policiesβ
- AWS Security Hub: [Inspector.2] Amazon Inspector ECR scanning should be enabled
Descriptionβ
Descriptionβ
This policy identifies AWS accounts where Amazon ECR scanning is not enabled.
Amazon Inspector integrates with Amazon ECR to automate container image security. It provides continuous vulnerability scanning by analyzing images when they are pushed to ECR and re-scanning them whenever new Common Vulnerabilities and Exposures (CVE) data becomes available.
Rationaleβ
Enabling Amazon Inspector for ECR provides the following benefits:
- Continuous Assessment: Unlike traditional scan on push, which is a one-time event, Amazon Inspector continuously monitors container images stored in ECR for newly disclosed vulnerabilities throughout their retention period.
- Automated Risk Prioritization: Amazon Inspector assigns contextualized risk scores, enabling security teams to prioritize remediation efforts based on the severity and exploitability of vulnerabilities.
- CI/CD Integration: Automated vulnerability discovery helps prevent insecure container images from being promoted through CI/CD pipelines and deployed into production environments.
... see more
Remediationβ
Remediationβ
Enable Amazon Inspector ECR Scanningβ
If you are the delegated administrator for an AWS Organization, you can centrally enable Amazon Inspector scan types across multiple accounts and Regions using the AWS CLI and automation scripts. For additional guidance, refer to the inspector2-enablement-with-cli repository on GitHub.
From Consoleβ
To activate Amazon Inspector ECR scanning:
Open the Amazon Inspector console: https://console.aws.amazon.com/inspector/v2/home
Using the AWS Region selector in the upper-right corner, select the Region where your ECR repositories are located.
In the navigation pane, choose Account management.
Select the account(s) for which you want to enable a scan type.
Choose Activate, then select ECR scanning.
Repeat these steps in each AWS Region that hosts ECR repositories to ensure full coverage.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [Inspector.2] Amazon Inspector ECR scanning should be enabled | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Threat Protection | 48 | no data | |||
| πΌ PCI DSS v3.2.1 β πΌ 11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all βhigh riskβ vulnerabilities are resolved in accordance with the entity's vulnerability ranking. | 2 | no data | |||
| πΌ PCI DSS v4.0.1 β πΌ 11.3.1 Internal vulnerability scans are performed. | 3 | 2 | no data | ||
| πΌ PCI DSS v4.0 β πΌ 11.3.1 Internal vulnerability scans are performed. | 3 | 2 | no data |